Gamaredon exploits WinRAR bug to deliver GammaWorm and GammaSteel

French cybersecurity firm Sekoia observed in January 2026 that the group Gamaredon weaponized a WinRAR path traversal flaw, tracked as CVE-2025-8088, to deliver an HTML Application payload named GammaPhish. GammaPhish retrieves a VBScript downloader called GammaLoad. GammaLoad fingerprints hosts, updates network configuration in the Windows registry using dead drop resolvers (DDRs), and fetches and runs VBScript payloads from command-and-control servers.

One VBScript payload, GammaWorm, creates persistence by adding scheduled tasks and spreads by hiding legitimate folders on network shares and USB drives, replacing them with malicious Windows shortcut (LNK) files that execute code from a remote command-and-control server. GammaWorm resolves its C2 by issuing an HTTP GET request with curl to a hard-coded public Telegram channel and uses NTFS Alternate Data Streams to conceal modules on disk.

Another payload, GammaSteel, is a modular information stealer that collects files with specific extensions and uploads them to an Amazon Web Services S3 bucket, with an attacker-controlled server used as a fallback. The modular design allows operators to update or swap payloads and could enable delivery of other tools, including a destructive variant referred to as GammaWipe.

Sekoia noted uncertainty over how GammaWorm is introduced: it may be dropped by GammaLoad in the same chain or placed via a weaponized USB drive. The firm assessed with high confidence that GammaPhish is designed to deploy GammaLoad first.

Other tracked activity against Ukraine was reported alongside this campaign. UAC-0184 used LNK lures to deliver an executable tied to the PassMark BurnInTest program to military-related targets. UAC-0247 deployed HTA droppers inside ZIP archives to install backdoors capable of creating reverse shells. ExaTrack mapped PixyNetLoader, attributed to APT28, exploiting a Microsoft Office vulnerability (CVE-2026-21509) to drop a COVENANT Grunt implant; activity traces to December 2024 with sightings as recently as April 15, 2026.

Gamaredon is officially linked to Russia’s Federal Security Service and has targeted Ukrainian government, military and infrastructure with spear-phishing using booby-trapped RAR archives. Sekoia described the infection chain as “resilient, massive, and highly obfuscated modular design” and stated the architecture is likely to be reused.